Hexxed BitHeadz

, , ,

GonkWare v0.55

Hexxed BitHeadz

Jack in — GonkWare 0.55 just dropped. New tabs, new toys, and a whole new layer of chaos.”

Tab 1: Shellcode Generator

It may not look very different at first, but open the Techniques dropdown and a whole new set of options appears: HTARunner, VBAMacro, csproj (MSBuild), process injection, and Shellcode Runner.

Demo Time!

To demo one real quick, we’ll select Process Injection, in the left pane we’ll confirm the target architecture, payload preference, connection type, interface, and port, then hit Generate. The source code will appear in the middle pane after a few seconds. Then we’ll select the AppLocker checkbox on the right pane; this will dynamically modify the code so the exe behaves differently. What does that mean? Well, it will be set to uninstall versus instead that running normally. NEAT! Finally, we’ll hit Build EXE, deliver the file, and run it. By default the exe file will  look for explorer.exe and injects into that process.

Tab 2: Mimikatz Parser

We loved this idea, and it got kinda fancy: paste the Mimikatz output, and this would parse usernames / passwords / hashes out for you. We were even figuring out how to set up a listener and have Mimikatz just feed the results to the listener, so you wouldn’t have to worry about saving to disk or having to copy all that nonsense 😊.

All development and testing happened with the help of the Game Of Active Directory environment, which is why the examples below reference the SEVENKINGDOMS domain.

Promise: zero dragons harmed 🐉

Demo Time! Mimikatz Parser

So, one challenge came up: the attack flow requires mimikatz.ps1 to be hosted locally so target can grab it. Once we started adding single resources like that, it quickly felt like we were on track to packing GonkWare with every popular tool and do not wish to go that route. We’ll discuss our design decision and alternatives in the closing remarks.

TAB 3: Impacket

We wanted the tool to auto-generate dynamic command examples from Mimikatz findings. So, think of it like this, we have a fairly blank screen below:

Once we click the Import from Mimikatz Parser button, the credentials will auto-populate. From there we select the Impacket tool we will use, then GonkWare will generate the exact command, next is copy, paste in the terminal and run. In the screenshot below we imported a file that contained 12 hashes, picked psexec.py selected a user and hash, clicked Generate Commands , and voilà the ready-to-run command appears.

Tab 4: Hash Tools

Pretty straightforward! Drop in a plaintext password, hit Generate, and get the hash, perfect for Kerberos ticket stuff.

Tab 5: Encoder/Decoder

Another handy tool! Most needed since we find ourselves 99% of the time encoding PowerShell commands.

Now What?!

Okay, that’s all the cool progress we made with GonkWare. Now for the challenges. We ran into a fun dilemma trying to do cool things with popular tools like the Mimikatz parser. The original idea was simple: have the operator run Mimikatz, then copy/paste the output into GonkWare for parsing. But we pushed it further to hosting Mimikatz from GonkWare, having the target grab and load it into memory, and display the results straight back. Love the idea and execution, but including all these tools into GonkWare, was never in our plans.

That led us down a dangerous rabbit hole: how could we overcome these issues? We thought about “check-in” behavior instead of a constant connection… and suddenly… we realized we’d accidentally started building an implant. A beacon without any C2 framework to support it. That’s a problem we weren’t prepared to solve, nor did we want to reinvent or outdo any of the fantastic C2 frameworks that already exist.

Will we be seeing anymore of GonkWare? Well, probably not in the form that we know it as. Even without the whole shellcode generation part, we would really like to build more on the whole mimikatz parser > impacket commands piece, and may hopefully make an appearance in the future.

So, will GonkWare continue? Possibly, but probably not in the form that we know it. We still love the Mimikatz parser → Impacket command generator concept and may continue to develop that piece separately.

Unfinished GonkWare project, hoping to repurpose it sometime in the future: https://github.com/HexxedBitHeadz/GonkWare

Where do we go from here? What’s next? Seems like a good time to poke at some C2’s, especially now since we got the Game Of Active Directory set up in the home lab. Whoop Whoop!